commit 9c03f1622af051004416dd3e24d8a0fa31e34178 Merge: a4128b0 eefdca0 Author: Linus Torvalds Date: Tue Sep 14 17:07:51 2010 -0700 Merge ssh://master.kernel.org/home/hpa/tree/sec * ssh://master.kernel.org/home/hpa/tree/sec: x86-64, compat: Retruncate rax after ia32 syscall entry tracing x86-64, compat: Test %rax for the syscall number, not %eax compat: Make compat_alloc_user_space() incorporate the access_ok() commit a4128b03ff1ff5bc6ea922518a3f36a09b914379 Author: David Howells Date: Tue Sep 14 17:59:15 2010 +0100 MN10300: Fix up the IRQ names for the on-chip serial ports Fix up the IRQ names for the MN10300 on-chip serial ports in the driver as request_interrupt() no longer allows names containing slashes, giving a warning like the following if one is encountered: ------------[ cut here ]------------ WARNING: at fs/proc/generic.c:323 __xlate_proc_name+0x62/0x7c() name 'ttySM0/Rx' Signed-off-by: David Howells Signed-off-by: Linus Torvalds commit 65e0b598bdb3fe1122ab9a9708fc785e7ac41671 Merge: d7a4b63 99d3896 Author: Linus Torvalds Date: Tue Sep 14 17:05:39 2010 -0700 Merge git://git.infradead.org/mtd-2.6 * git://git.infradead.org/mtd-2.6: mtd: pxa3xx: fix build error when CONFIG_MTD_PARTITIONS is not defined mtd: mxc_nand: configure pages per block for v2 controller mtd: OneNAND: Fix loop hang when DMA error at Samsung SoCs mtd: OneNAND: Fix 2KiB pagesize handling at Samsung SoCs mtd: Blackfin NFC: fix invalid free in remove() mtd: Blackfin NFC: fix build error after nand_scan_ident() change mxc_nand: Do not do byte accesses to the NFC buffer. commit d7a4b63b5138e29122e72a5192d98be86ca68cca Merge: de8d4f5 8fe294c Author: Linus Torvalds Date: Tue Sep 14 17:05:09 2010 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: fix hiddev's use of usb_find_interface HID: fixup blacklist entry for Asus T91MT HID: add device ID for new Asus Multitouch Controller HID: add no-get quirk for eGalax touch controller HID: Add quirk for eGalax touch controler. HID: add support for another BTC Emprex remote control HID: Set Report ID properly for Output reports on the Control endpoint. HID: Kanvus Note A5 tablet needs HID_QUIRK_MULTI_INPUT HID: Add support for chicony multitouch screens. commit de8d4f5d758786a2cbcfa54a6a85ce747e5637e3 Merge: 75e1c70 827e345 Author: Linus Torvalds Date: Tue Sep 14 17:04:48 2010 -0700 Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 * 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6: SUNRPC: Fix the NFSv4 and RPCSEC_GSS Kconfig dependencies statfs() gives ESTALE error NFS: Fix a typo in nfs_sockaddr_match_ipaddr6 sunrpc: increase MAX_HASHTABLE_BITS to 14 gss:spkm3 miss returning error to caller when import security context gss:krb5 miss returning error to caller when import security context Remove incorrect do_vfs_lock message SUNRPC: cleanup state-machine ordering SUNRPC: Fix a race in rpc_info_open SUNRPC: Fix race corrupting rpc upcall Fix null dereference in call_allocate commit 75e1c70fc31490ef8a373ea2a4bea2524099b478 Author: Jeff Moyer Date: Fri Sep 10 14:16:00 2010 -0700 aio: check for multiplication overflow in do_io_submit Tavis Ormandy pointed out that do_io_submit does not do proper bounds checking on the passed-in iocb array:        if (unlikely(nr < 0))                return -EINVAL;        if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))                return -EFAULT;                      ^^^^^^^^^^^^^^^^^^ The attached patch checks for overflow, and if it is detected, the number of iocbs submitted is scaled down to a number that will fit in the long.  This is an ok thing to do, as sys_io_submit is documented as returning the number of iocbs submitted, so callers should handle a return value of less than the 'nr' argument passed in. Reported-by: Tavis Ormandy Signed-off-by: Jeff Moyer Signed-off-by: Linus Torvalds commit eefdca043e8391dcd719711716492063030b55ac Author: Roland McGrath Date: Tue Sep 14 12:22:58 2010 -0700 x86-64, compat: Retruncate rax after ia32 syscall entry tracing In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a 32-bit tracee in system call entry. A %rax value set via ptrace at the entry tracing stop gets used whole as a 32-bit syscall number, while we only check the low 32 bits for validity. Fix it by truncating %rax back to 32 bits after syscall_trace_enter, in addition to testing the full 64 bits as has already been added. Reported-by: Ben Hawkes Signed-off-by: Roland McGrath Signed-off-by: H. Peter Anvin commit 36d001c70d8a0144ac1d038f6876c484849a74de Author: H. Peter Anvin Date: Tue Sep 14 12:42:41 2010 -0700 x86-64, compat: Test %rax for the syscall number, not %eax On 64 bits, we always, by necessity, jump through the system call table via %rax. For 32-bit system calls, in theory the system call number is stored in %eax, and the code was testing %eax for a valid system call number. At one point we loaded the stored value back from the stack to enforce zero-extension, but that was removed in checkin d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process will not be able to introduce a non-zero-extended number, but it can happen via ptrace. Instead of re-introducing the zero-extension, test what we are actually going to use, i.e. %rax. This only adds a handful of REX prefixes to the code. Reported-by: Ben Hawkes Signed-off-by: H. Peter Anvin Cc: Cc: Roland McGrath Cc: Andrew Morton commit c41d68a513c71e35a14f66d71782d27a79a81ea6 Author: H. Peter Anvin Date: Tue Sep 7 16:16:18 2010 -0700 compat: Make compat_alloc_user_space() incorporate the access_ok() compat_alloc_user_space() expects the caller to independently call access_ok() to verify the returned area. A missing call could introduce problems on some architectures. This patch incorporates the access_ok() check into compat_alloc_user_space() and also adds a sanity check on the length. The existing compat_alloc_user_space() implementations are renamed arch_compat_alloc_user_space() and are used as part of the implementation of the new global function. This patch assumes NULL will cause __get_user()/__put_user() to either fail or access userspace on all architectures. This should be followed by checking the return value of compat_access_user_space() for NULL in the callers, at which time the access_ok() in the callers can also be removed. Reported-by: Ben Hawkes Signed-off-by: H. Peter Anvin Acked-by: Benjamin Herrenschmidt Acked-by: Chris Metcalf Acked-by: David S. Miller Acked-by: Ingo Molnar Acked-by: Thomas Gleixner Acked-by: Tony Luck Cc: Andrew Morton Cc: Arnd Bergmann Cc: Fenghua Yu Cc: H. Peter Anvin Cc: Heiko Carstens Cc: Helge Deller Cc: James Bottomley Cc: Kyle McMartin Cc: Martin Schwidefsky Cc: Paul Mackerras Cc: Ralf Baechle Cc: commit 8fe294caf8c868edd9046251824a0af91991bf43 Author: Guillaume Chazarain Date: Sun Sep 12 21:32:35 2010 +0200 HID: fix hiddev's use of usb_find_interface My macbook infrared remote control was broken by commit bd25f4dd6972755579d0ea50d1a5ace2e9b00d1a ("HID: hiddev: use usb_find_interface, get rid of BKL"). This device appears in dmesg as: apple 0003:05AC:8242.0001: hiddev0,hidraw0: USB HID v1.11 Device [Apple Computer, Inc. IR Receiver] on usb-0000:00:1d.2-1/input0 It stopped working as lircd was getting ENODEV when opening /dev/usb/hiddev0. AFAICS hiddev_driver is a dummy driver so usb_find_interface(&hiddev_driver) does not find anything. The device is associated with the usbhid driver, so let's do usb_find_interface(&hid_driver) instead. $ ls -l /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver lrwxrwxrwx 1 root root 0 2010-09-12 16:28 /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver -> ../../../../../../bus/usb/drivers/usbhid Signed-off-by: Guillaume Chazarain Signed-off-by: Jiri Kosina commit bfa88ea7ee9e6b4fd673e45a8cc0a8e0b7ef4761 Merge: 1d91686 0bf377b Author: Linus Torvalds Date: Mon Sep 13 14:34:27 2010 -0700 Merge branch 'sched/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'sched/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: sched: Improve latencies under load by decreasing minimum scheduling granularity commit 1d91686a475381443a5e00ff3a6ab1ee61d6af28 Merge: ab22c17 edc805b Author: Linus Torvalds Date: Mon Sep 13 12:51:22 2010 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k: m68k,m68knommu: Wire up fanotify_init, fanotify_mark, and prlimit64 commit ab22c17cd2a9840b4457a656fd377c73ec4f518d Merge: ed8f425 f574c84 Author: Linus Torvalds Date: Mon Sep 13 12:49:55 2010 -0700 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6 * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6: [IA64] fix siglock Quoth Tony: "I committed the fix for this last week prior to your -rc4 announcement reminding us to give proper "Reported-by:" credit. This one should have had: Reported-by: Tony Ernst and also Much-useful-investigation-and-tracing-by: Hedi Berriche Much-useful-investigation-and-tracing-by: Petr Tesarik " commit ed8f425f546a2242a97f61fabcbe9e50a2559a19 Merge: 1421e98 3267039 Author: Linus Torvalds Date: Mon Sep 13 12:47:08 2010 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6: cifs: prevent possible memory corruption in cifs_demultiplex_thread cifs: eliminate some more premature cifsd exits cifs: prevent cifsd from exiting prematurely [CIFS] ntlmv2/ntlmssp remove-unused-function CalcNTLMv2_partial_mac_key cifs: eliminate redundant xdev check in cifs_rename Revert "[CIFS] Fix ntlmv2 auth with ntlmssp" Revert "missing changes during ntlmv2/ntlmssp auth and sign" Revert "Eliminate sparse warning - bad constant expression" Revert "[CIFS] Eliminate unused variable warning" commit 1421e98662f1cab802e0fa39d16b8dc6b874a4eb Merge: 2bb3a25 1d76e31 Author: Linus Torvalds Date: Mon Sep 13 12:46:35 2010 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs: fs/9p: Don't use dotl version of mknod for dotu inode operations fs/9p: Use the correct dentry operations 9p: Check for NULL fid in v9fs_dir_release() fs/9p: Fix error handling in v9fs_get_sb fs/9p, net/9p: memory leak fixes commit 2bb3a259d8205e5779d59343994828376b0e2d96 Merge: 6142811 d530148 Author: Linus Torvalds Date: Mon Sep 13 12:46:09 2010 -0700 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6: dquot: do full inode dirty in allocating space commit 6142811a3395188bac6fa4f5c4223471b1ac98a8 Merge: 49553c2 25c8e03 Author: Linus Torvalds Date: Mon Sep 13 12:45:50 2010 -0700 Merge branch 'next-spi' of git://git.secretlab.ca/git/linux-2.6 * 'next-spi' of git://git.secretlab.ca/git/linux-2.6: spi/pl022: move probe call to subsys_initcall() powerpc/5200: mpc52xx_uart.c: Add of_node_put to avoid memory leak spi/pl022: fix APB pclk power regression on U300 spi/spi_s3c64xx: Warn if PIO transfers time out spi/s3c64xx: Fix incorrect reuse of 'val' local variable. spi/s3c64xx: Fix compilation warning spi/dw_spi: clean the cs_control code spi/dw_spi: Allow interrupt sharing spi/spi_s3c64xx: Increase dead reckoning time in wait_for_xfer() spi/spi_s3c64xx: Move to subsys_initcall() spi: free children in spi_unregister_master, not siblings gpiolib: Add 'struct gpio_chip' forward declaration for !GPIOLIB case of: Fix missing includes - ll_temac spi/spi_s3c64xx: Staticise non-exported functions spi/spi_s3c64xx: Make probe more robust against missing board config commit edc805b7c5e45c3d7202cea5239985d204178e24 Author: Geert Uytterhoeven Date: Mon Aug 16 14:05:20 2010 +0200 m68k,m68knommu: Wire up fanotify_init, fanotify_mark, and prlimit64 Signed-off-by: Geert Uytterhoeven Acked-by: Greg Ungerer commit 0bf377bbb0bea6130f35613491887cc622e42a8b Author: Ingo Molnar Date: Sun Sep 12 08:14:52 2010 +0200 sched: Improve latencies under load by decreasing minimum scheduling granularity Mathieu reported bad latencies with make -j10 kind of kbuild workloads - which is mostly caused by us scheduling with a too coarse granularity. Reduce the minimum granularity some more, to make sure we can meet the latency target. I got the following results (make -j10 kbuild load, average of 3 runs): vanilla: maximum latency: 38278.9 µs average latency: 7730.1 µs patched: maximum latency: 22702.1 µs average latency: 6684.8 µs Mathieu also measured it: | | * wakeup-latency.c (SIGEV_THREAD) with make -j10 | | - Mainline 2.6.35.2 kernel | | maximum latency: 45762.1 µs | average latency: 7348.6 µs | | - With only Peter's smaller min_gran (shown below): | | maximum latency: 29100.6 µs | average latency: 6684.1 µs | Reported-by: Mathieu Desnoyers Reported-by: Linus Torvalds Acked-by: Mathieu Desnoyers Suggested-by: Peter Zijlstra Acked-by: Peter Zijlstra LKML-Reference: Signed-off-by: Ingo Molnar commit 1d76e3135733a06aa12bb35891c05f306b27b2d6 Author: Aneesh Kumar K.V Date: Mon Aug 30 17:43:07 2010 +0000 fs/9p: Don't use dotl version of mknod for dotu inode operations We should not use dotlversion for the dotu inode operations Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen commit 3c30750ffafbc32af040b09f777b67aa2486b063 Author: Aneesh Kumar K.V Date: Mon Aug 30 16:04:35 2010 +0000 fs/9p: Use the correct dentry operations We should use the cached dentry operation only if caching mode is enabled Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen commit 62726a7ab3a6a3624256172af055ff0a38c6ffa2 Author: jvrao Date: Wed Aug 25 16:26:21 2010 +0000 9p: Check for NULL fid in v9fs_dir_release() NULL fid should be handled in cases where we endup calling v9fs_dir_release() before even we instantiate the fid in filp. Signed-off-by: Venkateswararao Jujjuri Signed-off-by: Eric Van Hensbergen commit 5c25f347a7b00b2ebe0a55c4a3cfe4c3e1e8725e Author: Aneesh Kumar K.V Date: Tue Aug 24 10:30:49 2010 +0000 fs/9p: Fix error handling in v9fs_get_sb This was introduced by 7cadb63d58a932041afa3f957d5cbb6ce69dcee5 Signed-off-by: Aneesh Kumar K.V Signed-off-by: Eric Van Hensbergen commit 62b2be591a9b12c550308ef7718a31abfc815b50 Author: Latchesar Ionkov Date: Tue Aug 24 18:13:59 2010 +0000 fs/9p, net/9p: memory leak fixes Four memory leak fixes in the 9P code. Signed-off-by: Latchesar Ionkov Signed-off-by: Eric Van Hensbergen commit 99d389640b58052884fb231bce9dbffb4f595aa4 Author: Mark F. Brown Date: Thu Aug 26 04:56:51 2010 -0400 mtd: pxa3xx: fix build error when CONFIG_MTD_PARTITIONS is not defined Signed-off-by: Mark F. Brown Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse commit b8db2f51dcccbaf4d23ed44cd0c64856c58a16c0 Author: Sascha Hauer Date: Mon Aug 9 15:04:19 2010 +0200 mtd: mxc_nand: configure pages per block for v2 controller This patch initializes the pages per block field in CONFIG1 for v2 controllers. It also sets the FP_INT field. This is the last field not correctly initialized, so we can switch from read/modify/write the CONFIG1 reg to just write the correct value. Signed-off-by: Sascha Hauer Acked-by: John Ogness Tested-by: John Ogness Signed-off-by: David Woodhouse commit 53d1e137d5ddd8a1c5ec54c5375cb2832e1cbcd1 Author: Kyungmin Park Date: Fri Aug 27 11:55:37 2010 +0900 mtd: OneNAND: Fix loop hang when DMA error at Samsung SoCs When DMA error occurs. it's loop hang since it can't exit the loop. and it's the right DMA handling code as Spec. Signed-off-by: Kyungmin Park Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse commit 9aba97ad004ed0cde9747a9daf5b1484edb746cd Author: Kyungmin Park Date: Fri Aug 27 11:55:44 2010 +0900 mtd: OneNAND: Fix 2KiB pagesize handling at Samsung SoCs Wrong assumption bufferram can be switched between BufferRAM0 and BufferRAM1 Signed-off-by: Kyungmin Park Signed-off-by: David Woodhouse commit 8b865d5efd9205b131dd9a43a6f450c05d38aaa1 Author: Mike Frysinger Date: Sat Aug 28 16:42:04 2010 -0400 mtd: Blackfin NFC: fix invalid free in remove() Since info->mtd isn't dynamically allocated, we shouldn't attempt to kfree() it. Otherwise we get random fun corruption when unloading the driver built as a module. Signed-off-by: Mike Frysinger Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse commit eac15a429a27cb74115daaf4c1127c5e854d50e4 Author: Mike Frysinger Date: Sat Aug 28 01:45:00 2010 -0400 mtd: Blackfin NFC: fix build error after nand_scan_ident() change Seems some patches got out sync when being merged. The Blackfin NFC driver was updated to use nand_scan_ident(), but it missed the change where nand_scan_ident() now takes 3 arguments. So update this driver to fix build failures. Signed-off-by: Mike Frysinger Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse commit 827e3457022d0bb0b1bb8a0eb88501876fe7dcf0 Author: Trond Myklebust Date: Sun Sep 12 19:57:50 2010 -0400 SUNRPC: Fix the NFSv4 and RPCSEC_GSS Kconfig dependencies The NFSv4 client's callback server calls svc_gss_principal(), which is defined in the auth_rpcgss.ko The NFSv4 server has the same dependency, and in addition calls svcauth_gss_flavor(), gss_mech_get_by_pseudoflavor(), gss_pseudoflavor_to_service() and gss_mech_put() from the same module. The module auth_rpcgss itself has no dependencies aside from sunrpc, so we only need to select RPCSEC_GSS. Reported-by: Uwe Kleine-König Signed-off-by: Trond Myklebust commit fbf3fdd2443965d9ba6fb4b5fecd1f6e0847218f Author: Menyhart Zoltan Date: Sun Sep 12 19:55:26 2010 -0400 statfs() gives ESTALE error Hi, An NFS client executes a statfs("file", &buff) call. "file" exists / existed, the client has read / written it, but it has already closed it. user_path(pathname, &path) looks up "file" successfully in the directory-cache and restarts the aging timer of the directory-entry. Even if "file" has already been removed from the server, because the lookupcache=positive option I use, keeps the entries valid for a while. nfs_statfs() returns ESTALE if "file" has already been removed from the server. If the user application repeats the statfs("file", &buff) call, we are stuck: "file" remains young forever in the directory-cache. Signed-off-by: Zoltan Menyhart Signed-off-by: Trond Myklebust Cc: stable@kernel.org commit b20d37ca9561711c6a3c4b859c2855f49565e061 Author: Trond Myklebust Date: Sun Sep 12 19:55:26 2010 -0400 NFS: Fix a typo in nfs_sockaddr_match_ipaddr6 Reported-by: Ben Greear Signed-off-by: Trond Myklebust Cc: stable@kernel.org commit db5fe26541b6b48460104a0d949a27cdc7786957 Author: Miquel van Smoorenburg Date: Sun Sep 12 19:55:26 2010 -0400 sunrpc: increase MAX_HASHTABLE_BITS to 14 The maximum size of the authcache is now set to 1024 (10 bits), but on our server we need at least 4096 (12 bits). Increase MAX_HASHTABLE_BITS to 14. This is a maximum of 16384 entries, each containing a pointer (8 bytes on x86_64). This is exactly the limit of kmalloc() (128K). Signed-off-by: Miquel van Smoorenburg Signed-off-by: Trond Myklebust commit 651b2933b22a0c060e6bb940c4104eb447a61f9a Author: Bian Naimeng Date: Sun Sep 12 19:55:26 2010 -0400 gss:spkm3 miss returning error to caller when import security context spkm3 miss returning error to up layer when import security context, it may be return ok though it has failed to import security context. Signed-off-by: Bian Naimeng Signed-off-by: Trond Myklebust commit ce8477e1176389ed920550f4c925ad4a815b22d5 Author: Bian Naimeng Date: Sun Sep 12 19:55:25 2010 -0400 gss:krb5 miss returning error to caller when import security context krb5 miss returning error to up layer when import security context, it may be return ok though it has failed to import security context. Signed-off-by: Bian Naimeng Signed-off-by: Trond Myklebust commit b1bde04c6d9a120dec602cc8a70b8a7f21600883 Author: Fabio Olive Leite Date: Sun Sep 12 19:55:25 2010 -0400 Remove incorrect do_vfs_lock message The do_vfs_lock function on fs/nfs/file.c is only called if NLM is not being used, via the -onolock mount option. Therefore it cannot really be "out of sync with lock manager" when the local locking function called returns an error, as there will be no corresponding call to the NLM. For details, simply check the if/else on do_setlk and do_unlk on fs/nfs/file.c. Signed-Off-By: Fabio Olive Leite Reviewed-by: Jeff Layton Signed-off-by: Trond Myklebust commit 55576244eba805307a2b2b6a145b8f85f8c7c124 Author: J. Bruce Fields Date: Sun Sep 12 19:55:25 2010 -0400 SUNRPC: cleanup state-machine ordering This is just a minor cleanup: net/sunrpc/clnt.c clarifies the rpc client state machine by commenting each state and by laying out the functions implementing each state in the order that each state is normally executed (in the absence of errors). The previous patch "Fix null dereference in call_allocate" changed the order of the states. Move the functions and update the comments to reflect the change. Signed-off-by: J. Bruce Fields Signed-off-by: Trond Myklebust commit 006abe887c5e637d059c44310de6c92f36aded3b Author: Trond Myklebust Date: Sun Sep 12 19:55:25 2010 -0400 SUNRPC: Fix a race in rpc_info_open There is a race between rpc_info_open and rpc_release_client() in that nothing stops a process from opening the file after the clnt->cl_kref goes to zero. Fix this by using atomic_inc_unless_zero()... Reported-by: J. Bruce Fields Signed-off-by: Trond Myklebust Cc: stable@kernel.org commit 5a67657a2e90c9e4a48518f95d4ba7777aa20fbb Author: Trond Myklebust Date: Sun Sep 12 19:55:25 2010 -0400 SUNRPC: Fix race corrupting rpc upcall If rpc_queue_upcall() adds a new upcall to the rpci->pipe list just after rpc_pipe_release calls rpc_purge_list(), but before it calls gss_pipe_release (as rpci->ops->release_pipe(inode)), then the latter will free a message without deleting it from the rpci->pipe list. We will be left with a freed object on the rpc->pipe list. Most frequent symptoms are kernel crashes in rpc.gssd system calls on the pipe in question. Reported-by: J. Bruce Fields Signed-off-by: Trond Myklebust Cc: stable@kernel.org commit f2d47d02fd84343a3c5452daca6ed12c75618aff Author: J. Bruce Fields Date: Sun Sep 12 19:55:25 2010 -0400 Fix null dereference in call_allocate In call_allocate we need to reach the auth in order to factor au_cslack into the allocation. As of a17c2153d2e271b0cbacae9bed83b0eaa41db7e1 "SUNRPC: Move the bound cred to struct rpc_rqst", call_allocate attempts to do this by dereferencing tk_client->cl_auth, however this is not guaranteed to be defined--cl_auth can be zero in the case of gss context destruction (see rpc_free_auth). Reorder the client state machine to bind credentials before allocating, so that we can instead reach the auth through the cred. Signed-off-by: J. Bruce Fields Signed-off-by: Trond Myklebust Cc: stable@kernel.org commit f574c843191728d9407b766a027f779dcd27b272 Author: Tony Luck Date: Thu Sep 9 15:16:56 2010 -0700 [IA64] fix siglock When ia64 converted to using ticket locks, an inline implementation of trylock/unlock in fsys.S was missed. This was not noticed because in most circumstances it simply resulted in using the slow path because the siglock was apparently not available (under old spinlock rules). Problems occur when the ticket spinlock has value 0x0 (when first initialised, or when it wraps around). At this point the fsys.S code acquires the lock (changing the 0x0 to 0x1. If another process attempts to get the lock at this point, it will change the value from 0x1 to 0x2 (using new ticket lock rules). Then the fsys.S code will free the lock using old spinlock rules by writing 0x0 to it. From here a variety of bad things can happen. Signed-off-by: Tony Luck commit d530148ae8bffe1b33f50d1776d185a6e85dc774 Author: Shaohua Li Date: Fri Aug 20 16:49:43 2010 +0800 dquot: do full inode dirty in allocating space Alex Shi found a regression when doing ffsb test. The test has several threads, and each thread creates a small file, write to it and then delete it. ffsb reports about 20% regression and Alex bisected it to 43d2932d88e4. The test will call __mark_inode_dirty 3 times. without this commit, we only take inode_lock one time, while with it, we take the lock 3 times with flags ( I_DIRTY_SYNC,I_DIRTY_PAGES,I_DIRTY). Perf shows the lock contention increased too much. Below proposed patch fixes it. fs is allocating blocks, which usually means file writes and the inode will be dirtied soon. We fully dirty the inode to reduce some inode_lock contention in several calls of __mark_inode_dirty. Jan Kara: Added comment. Signed-off-by: Shaohua Li Signed-off-by: Alex Shi Signed-off-by: Jan Kara commit 25c8e03bdb769dfe2381f8b7942f05b0eb4bdf31 Author: Linus Walleij Date: Mon Sep 6 11:02:12 2010 +0200 spi/pl022: move probe call to subsys_initcall() The PL022 SPI bus is sometimes used for early stuff like regulators that need to be present at module_init() time, so we move this to a subsys_initcall(). Signed-off-by: Linus Walleij Signed-off-by: Grant Likely commit 32670396e7fc6e4f37451a69339968985461a374 Author: Jeff Layton Date: Fri Sep 3 12:00:50 2010 -0400 cifs: prevent possible memory corruption in cifs_demultiplex_thread cifs_demultiplex_thread sets the addr.sockAddr.sin_port without any regard for the socket family. While it may be that the error in question here never occurs on an IPv6 socket, it's probably best to be safe and set the port properly if it ever does. Break the port setting code out of cifs_fill_sockaddr and into a new function, and call that from cifs_demultiplex_thread. Signed-off-by: Jeff Layton Signed-off-by: Steve French commit 7332f2a6217ee6925f83ef0e725013067ed316ba Author: Jeff Layton Date: Fri Sep 3 12:00:49 2010 -0400 cifs: eliminate some more premature cifsd exits If the tcpStatus is still CifsNew, the main cifs_demultiplex_loop can break out prematurely in some cases. This is wrong as we will almost always have other structures with pointers to the TCP_Server_Info. If the main loop breaks under any other condition other than tcpStatus == CifsExiting, then it'll face a use-after-free situation. I don't see any reason to treat a CifsNew tcpStatus differently than CifsGood. I believe we'll still want to attempt to reconnect in either case. What should happen in those situations is that the MIDs get marked as MID_RETRY_NEEDED. This will make CIFSSMBNegotiate return -EAGAIN, and then the caller can retry the whole thing on a newly reconnected socket. If that fails again in the same way, the caller of cifs_get_smb_ses should tear down the TCP_Server_Info struct. Signed-off-by: Jeff Layton Signed-off-by: Steve French commit 522bbe65a2415fabce618186fc7777eb4c502989 Author: Jeff Layton Date: Fri Sep 3 12:00:49 2010 -0400 cifs: prevent cifsd from exiting prematurely When cifs_demultiplex_thread exits, it does a number of cleanup tasks including freeing the TCP_Server_Info struct. Much of the existing code in cifs assumes that when there is a cisfSesInfo struct, that it holds a reference to a valid TCP_Server_Info struct. We can never allow cifsd to exit when a cifsSesInfo struct is still holding a reference to the server. The server pointers will then point to freed memory. This patch eliminates a couple of questionable conditions where it does this. The idea here is to make an -EINTR return from kernel_recvmsg behave the same way as -ERESTARTSYS or -EAGAIN. If the task was signalled from cifs_put_tcp_session, then tcpStatus will be CifsExiting, and the kernel_recvmsg call will return quickly. There's also another condition where this can occur too -- if the tcpStatus is still in CifsNew, then it will also exit if the server closes the socket prematurely. I think we'll probably also need to fix that situation, but that requires a bit more consideration. Signed-off-by: Jeff Layton Signed-off-by: Steve French commit 4266d9118f85b050a341992f0cfab40d392ef32c Author: Steve French Date: Wed Sep 8 21:17:29 2010 +0000 [CIFS] ntlmv2/ntlmssp remove-unused-function CalcNTLMv2_partial_mac_key This function is not used, so remove the definition and declaration. Reviewed-by: Jeff Layton Signed-off-by: Shirish Pargaonkar Signed-off-by: Steve French commit 639e7a913d81f918bfbf506e6ecd54664f787cbd Author: Jeff Layton Date: Fri Sep 3 11:50:09 2010 -0400 cifs: eliminate redundant xdev check in cifs_rename The VFS always checks that the source and target of a rename are on the same vfsmount, and hence have the same superblock. So, this check is redundant. Remove it and simplify the error handling. Signed-off-by: Jeff Layton Signed-off-by: Steve French commit c8e56f1f4fb9f82f63e4ce6d73a14501d0432c76 Author: Steve French Date: Wed Sep 8 21:10:58 2010 +0000 Revert "[CIFS] Fix ntlmv2 auth with ntlmssp" This reverts commit 9fbc590860e75785bdaf8b83e48fabfe4d4f7d58. The change to kernel crypto and fixes to ntlvm2 and ntlmssp series, introduced a regression. Deferring this patch series to 2.6.37 after Shirish fixes it. Signed-off-by: Steve French Acked-by: Jeff Layton CC: Shirish Pargaonkar commit 745e507a9c79c6e1385d3414d5e56f3d4621a375 Author: Steve French Date: Wed Sep 8 21:09:27 2010 +0000 Revert "missing changes during ntlmv2/ntlmssp auth and sign" This reverts commit 3ec6bbcdb4e85403f2c5958876ca9492afdf4031. The change to kernel crypto and fixes to ntlvm2 and ntlmssp series, introduced a regression. Deferring this patch series to 2.6.37 after Shirish fixes it. Signed-off-by: Steve French Acked-by: Jeff Layton CC: Shirish Pargaonkar commit 56234e2767496c125a858f880f1b3a62e04a3406 Author: Steve French Date: Wed Sep 8 20:57:05 2010 +0000 Revert "Eliminate sparse warning - bad constant expression" This reverts commit 2d20ca835867d93ead6ce61780d883a4b128106d. The change to kernel crypto and fixes to ntlvm2 and ntlmssp series, introduced a regression. Deferring this patch series to 2.6.37 after Shirish fixes it. Signed-off-by: Steve French Acked-by: Jeff Layton CC: Shirish Pargaonkar commit 7100ae97266e387d25d0c8a5d9934931f0b07dbc Author: Steve French Date: Wed Sep 8 20:54:49 2010 +0000 Revert "[CIFS] Eliminate unused variable warning" The change to kernel crypto and fixes to ntlvm2 and ntlmssp series, introduced a regression. Deferring this patch series to 2.6.37 after Shirish fixes it. This reverts commit c89e5198b26a869ce2842bad8519264f3394dee9. Signed-off-by: Steve French Acked-by: Jeff Layton CC: Shirish Pargaonkar commit 05f25abcf6043952fb2a2d98735dec58ba1fcadb Author: Julia Lawall Date: Sun Aug 29 11:52:41 2010 +0200 powerpc/5200: mpc52xx_uart.c: Add of_node_put to avoid memory leak Add a call to of_node_put in the error handling code following a call to of_find_compatible_node. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r exists@ local idexpression x; expression E,E1; statement S; @@ *x = (of_find_node_by_path |of_find_node_by_name |of_find_node_by_phandle |of_get_parent |of_get_next_parent |of_get_next_child |of_find_compatible_node |of_match_node )(...); ... if (x == NULL) S <... when != x = E *if (...) { ... when != of_node_put(x) when != if (...) { ... of_node_put(x); ... } ( return <+...x...+>; | * return ...; ) } ...> of_node_put(x); // Signed-off-by: Julia Lawall Acked-by: Wolfram Sang Signed-off-by: Grant Likely commit 545074fb953e1753f6b8409db533ad7998789efb Author: Linus Walleij Date: Sat Aug 21 11:07:36 2010 +0200 spi/pl022: fix APB pclk power regression on U300 With the introduction of an AMBA PrimeCell per-cell block clock, the pclk was left on after probe() unless explicitly disabled. This clock is wired to the same clock on PL022 causing it to stay always on since. Fix this up properly by clocking the pclk whenever we want to write into any PL022 registers and clocking the external clock whenever we want to transmit messages on the bus. Signed-off-by: Linus Walleij Tested-by : Kevin Wells Signed-off-by: Grant Likely commit be7852a839b6dcd86db1a2d25b9a1a99f38db2db Author: Mark Brown Date: Mon Aug 23 17:40:56 2010 +0100 spi/spi_s3c64xx: Warn if PIO transfers time out When using PIO we have a timeout for the TX and RX FIFOs to ensure that the data actually gets transferred. Warn if we hit that timeout - it should never happen, but this makes sure we'll find out if it does. Signed-off-by: Mark Brown Acked-by: Jassi Brar Signed-off-by: Grant Likely commit c3f139b65585a5f29df47b2302ff8dbd9bdad0b0 Author: Jassi Brar Date: Fri Sep 3 10:36:46 2010 +0900 spi/s3c64xx: Fix incorrect reuse of 'val' local variable. Instead of, wrongly, reusing the 'val' variable, use a dedicated one for reading the status register. Signed-off-by: Jassi Brar Signed-off-by: Grant Likely commit 251ee478f2c877a9a80362e094c542fbac7f5651 Author: Jassi Brar Date: Fri Sep 3 10:36:26 2010 +0900 spi/s3c64xx: Fix compilation warning Fix compilation warning by typecasting the tx_buf pointer. [I'm not thrilled with resorting to a cast; but I cannot see a better way to go about this. I don't want to drop the const from struct spi_transfer ~~glikely] Signed-off-by: Jassi Brar Signed-off-by: Grant Likely commit e3e55ff5854655d8723ad8b307f02515aecc3df5 Author: Feng Tang Date: Tue Sep 7 15:52:06 2010 +0800 spi/dw_spi: clean the cs_control code commit 052dc7c45i "spi/dw_spi: conditional transfer mode change" introduced cs_control code, which has a bug by using bit offset for spi mode to set transfer mode in control register. Also it forces devices who don't need cs_control to re-configure the control registers for each spi transfer. This patch will fix them Signed-off-by: Feng Tang Signed-off-by: Grant Likely commit cbcc062abb16d39839b3d8d4e3d20360fc21eb58 Author: Yong Wang Date: Tue Sep 7 15:27:27 2010 +0800 spi/dw_spi: Allow interrupt sharing Allow interrupt sharing since exclusive interrupt line for DW SPI controller is not provided on every platform. Signed-off-by: Yong Wang Signed-off-by: Grant Likely commit 9d8f86b56093d7b06d81d4063d5b9a4cbf887e75 Author: Mark Brown Date: Tue Sep 7 16:37:52 2010 +0100 spi/spi_s3c64xx: Increase dead reckoning time in wait_for_xfer() For small transfers at high speeds the expected transfer time can easily be well under 1ms, causing the delay in wait_for_xfer() to be only the dead reckoning fudge factor of 5ms currently included. Experiments on some of my systems shows that this is marginal for some transfers so double it to 10ms. Signed-off-by: Mark Brown Acked-by: Jassi Brar Signed-off-by: Grant Likely commit d2a787fc57142ba8757142f1569603b4d0b714a4 Author: Mark Brown Date: Tue Sep 7 11:29:17 2010 +0100 spi/spi_s3c64xx: Move to subsys_initcall() Allow the use of the S3C64xx SPI controller with things like PMICs by moving the init up to subsys_initcall(). Signed-off-by: Mark Brown Acked-by: Jassi Brar Signed-off-by: Grant Likely commit eaca1386207a9e0314647d3a88967acb17cc30e3 Author: Jiri Kosina Date: Wed Sep 8 14:31:47 2010 +0200 HID: fixup blacklist entry for Asus T91MT The device is handled by hid-mosart driver, and therefore should be present in hid_blacklist[], not hid_ignore_list[]. Cc: Stephane Chatty Signed-off-by: Jiri Kosina commit cec15a0ece19116b6c2c53fedf9696c20124d491 Author: Roland Baum Date: Wed Sep 8 14:27:55 2010 +0200 HID: add device ID for new Asus Multitouch Controller The following patch instructs usbhid/hid-mosart to handle a new multitouch controller, built-in by some Asus EeePC T101MT models. Signed-off-by: Roland Baum Tested-by: Roland Baum Acked-by: Stéphane Chatty CC: Stéphane Chatty Signed-off-by: Jiri Kosina commit d34c4aa43df20bbf2730a67f14c1cf6d133d99e6 Author: Johan Hovold Date: Thu Sep 2 23:05:09 2010 +0200 HID: add no-get quirk for eGalax touch controller Add no-get quirk for eGalax touch controller to avoid timeout at probe. Signed-off-by: Johan Hovold Signed-off-by: Jiri Kosina commit 34860089c9e8abcc77428d29743b37ff756197e7 Author: David Lamparter Date: Mon Aug 30 23:54:17 2010 +0200 spi: free children in spi_unregister_master, not siblings introduced by 49dce689 ("spi doesn't need class_device") and bad-fixed by 350d0076 ("spi: fix double-free on spi_unregister_master"), spi_unregister_master would previously device_unregister all of the spi master's siblings (instead of its children). hilarity ensues. fix it to unregister children. Signed-off-by: David Lamparter Signed-off-by: Grant Likely commit 4e4438b86527e8bf1f49503a30d487e401e64f9c Author: Anton Vorontsov Date: Wed Sep 1 08:55:24 2010 -0600 gpiolib: Add 'struct gpio_chip' forward declaration for !GPIOLIB case With CONFIG_GPIOLIB=n, the 'struct gpio_chip' is not declared, so the following pops up on PowerPC: cc1: warnings being treated as errors In file included from arch/powerpc/platforms/52xx/mpc52xx_common.c:19: include/linux/of_gpio.h:74: warning: 'struct gpio_chip' declared inside parameter list include/linux/of_gpio.h:74: warning: its scope is only this definition or declaration, which is probably not what you want include/linux/of_gpio.h:75: warning: 'struct gpio_chip' declared inside parameter list make[2]: *** [arch/powerpc/platforms/52xx/mpc52xx_common.o] Error 1 This patch fixes the issue by providing the proper forward declaration. Signed-off-by: Anton Vorontsov Signed-off-by: Grant Likely commit 9f1a1fca35066117353994bff80a5115cddad7a2 Author: Michal Simek Date: Wed Sep 1 08:55:23 2010 -0600 of: Fix missing includes - ll_temac It is the next patch which is fixing missing header which were removed from prom.h. Related patches: "of/address: Clean up function declarations" (sha1 id 22ae782f8) "of: Fix missing includes" (sha1 id f1ca09b2b) Signed-off-by: Michal Simek Signed-off-by: Grant Likely commit 8944f4f3d9695e04f7091ab61da9aab7a4be5846 Author: Mark Brown Date: Wed Sep 1 08:55:23 2010 -0600 spi/spi_s3c64xx: Staticise non-exported functions Signed-off-by: Mark Brown Acked-by: Jassi Brar Signed-off-by: Grant Likely commit cc0fc0bbeb17dd33ed7bfea58d0178e9c007ff67 Author: Mark Brown Date: Wed Sep 1 08:55:22 2010 -0600 spi/spi_s3c64xx: Make probe more robust against missing board config The S3C64xx SPI driver requires the machine to call s3c64xx_spi_set_info() to select a few options, including the clock to use for the SPI controller. If this is not done then a NULL will be passed as the clock name for clk_get(), causing an obscure crash. Guard against this and other missing configuration by validating that the clock name has been filled in in the platform data that ets passed in. Signed-off-by: Mark Brown Signed-off-by: Grant Likely commit ebd11fecd3096b080c84fb35014916ae2b5ba64a Author: Thierry Reding Date: Mon Aug 30 13:11:42 2010 +0200 HID: Add quirk for eGalax touch controler. This patch adds a quirk for the eGalax touch controller which reports two pairs of axes. Signed-off-by: Thierry Reding Signed-off-by: Jiri Kosina commit c3dc66de59531c921c4638b1285075ea1c831186 Author: Jiri Kosina Date: Mon Aug 30 15:43:25 2010 +0200 HID: add support for another BTC Emprex remote control Add device ID for another variant of this remote control. Reported-by: Gregor Fuis Signed-off-by: Jiri Kosina commit f7b66e5e51d31c45c6039db9a6da7863fb75be1e Author: John Ogness Date: Fri Jun 18 18:59:47 2010 +0200 mxc_nand: Do not do byte accesses to the NFC buffer. This patch avoids byte access to the NFC buffer. Byte access to the NFC is not allowed. The patch is against linux-next 20100618. Signed-off-by: John Ogness Signed-off-by: Sascha Hauer Tested-by: John Ogness Signed-off-by: David Woodhouse commit c29771c2d8ceb907ed45eb8c7fc0450308140aca Author: Alan Ott Date: Tue Aug 17 00:44:04 2010 -0400 HID: Set Report ID properly for Output reports on the Control endpoint. When I made commit 29129a98e6fc89 ("HID: Send Report ID when numbered reports are sent over the control endpoint"), I didn't account for *buf not being the report ID anymore, as buf is incremented. Signed-off-by: Alan Ott Signed-off-by: Jiri Kosina commit 426409b1edcd7db922dd326911eba23d5a06d098 Author: Decio Fonini Date: Tue Aug 24 17:45:49 2010 +0200 HID: Kanvus Note A5 tablet needs HID_QUIRK_MULTI_INPUT The Kanvus Note A5 tablet (with USB ID 5543:6001, USB vendor UC_Logic) needs the HID_QUIRK_MULTI_INPUT in order to work out of the box; otherwise, we get the usual "cursor stuck at the upper left corner of the screen". Signed-off-by: Decio Fonini Signed-off-by: Jiri Kosina commit 7cacfa87d3018c68bef2defeda8948f753dfa9d0 Author: David Gow Date: Thu Aug 19 15:43:56 2010 +0800 HID: Add support for chicony multitouch screens. Adds a hid quirk for the chicony multitouch screen found in the Acer Aspire 1820pt notebook. Signed-off-by: David Gow Signed-off-by: Jiri Kosina